mailing list archives
Re: Home - Web Application Security Consortium
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Wed, 30 Jun 2004 10:13:18 -0700
On Tuesday, June 29, 2004, at 08:08 PM, Arian J. Evans wrote:
So you were agreeing with me in your response?
How WASC going to play with OWASP? Time will tell, but in my opinion
the more web application security awareness the better. The
hurtle we have in the industry is education, not the lack of available
solutions. Once the problem is known and understood, applying
is often easy.
I guess it strikes me as odd since OWASP is so well known; clients that
don't understand any of the concepts you mentioned or know who
are frequently know of OWASP. And have downloaded the Top 10.
It seems strange not to have used that vehicle for awareness, since it
already generating awareness and effectively educating many people. I
fail to see how yet another consortium will help education.
Your right, it probably looks strange that there are two groups which
are similar in nature. Though this is a common occurrence in the
When WASC formed, we knew ahead of time the projects we wanted to focus
on (2 mentioned earlier). We also knew what we were looking to achieve
in the future. Taking this into account, as a group we chose not to
leverage the visibility of an existing organization. We decided to
differentiate and be judged through our deliverables as they are made
I'd also like to point out that participation in WASC or OWASP is not
mutually exclusive. There are participants in WASC who are or have been
members of OWASP. The same is true in reverse. It is a community.
But it is a free world; you undoubtedly have your reasons and I don't
people putting their nose into my business, so...
I have no vested interested one way or the other in OWASP. My concern
is more around a vendor FUD/hype vehicle, as you probably detected.
Your concerns are completely valid. Especially since both organizations
are dominated by vendors of all varieties. We'd all to see the industry
mature beyond where it is today. As I said before, aware and education
is an essential step toward applying effective solutions. Healthy
skepticism is encouraged as it provides the checks and balances
necessary for a successful endeavor.
I think I hit all the points, hope this helps.
Thanks for explaining. Looking forward to the output of your
Disappointed it's not a community effort, but I also understand how
and unfruitful collective community efforts can be.
I don't know about disappointing, both are essentially open community
efforts moving in a similar direction. But as an industry I believe
we've been slow to work together and accomplish things. More groups
will help speed things along. In my personal opinion, more choice for
the user equals better overall results. From CERT to CISecurity to ISC2
to ISECOM, I'm sure WASC and OWASP wont be the only two groups in the